CVE-2025-52586

The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.

CVSS v3 6.9 MEDIUM

6.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.4 / Impact : 5.5

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://eg4electronics.com/contact/
https://eg4electronics.com/wp-content/uploads/2025/09/EG4-Wi-Fi-Dongle-Dongle-Firmware-Update.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07

Configurations

No configuration.

History

08 Sep 2025, 17:15

Type	Values Removed	Values Added
References		() https://eg4electronics.com/wp-content/uploads/2025/09/EG4-Wi-Fi-Dongle-Dongle-Firmware-Update.pdf -
Summary		(es) El tráfico de comandos MOD3 entre la aplicación de monitorización y el inversor se transmite en texto plano, sin cifrado ni ofuscación. Esta vulnerabilidad podría permitir que un atacante con acceso a una red local intercepte, manipule, reproduzca o falsifique datos críticos, como operaciones de lectura/escritura de voltaje, corriente y configuración de potencia, estado operativo, alarmas, telemetría, reinicio del sistema o comandos de control del inversor, lo que podría interrumpir la generación de energía o reconfigurar los ajustes del inversor.

08 Aug 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-08 16:15

Updated : 2025-09-08 17:15

NVD link : CVE-2025-52586

Mitre link : CVE-2025-52586

CVE.ORG link : CVE-2025-52586

JSON object : View

Products Affected

No product.

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2025-52586", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 1.4}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-08T16:15:27.617", "references": [{"url": "https://eg4electronics.com/contact/", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://eg4electronics.com/wp-content/uploads/2025/09/EG4-Wi-Fi-Dongle-Dongle-Firmware-Update.pdf", "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07", "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "The MOD3 command traffic between the monitoring application and the \ninverter is transmitted in plaintext without encryption or obfuscation. \nThis vulnerability may allow an attacker with access to a local network \nto intercept, manipulate, replay, or forge critical data, including \nread/write operations for voltage, current, and power configuration, \noperational status, alarms, telemetry, system reset, or inverter control\n commands, potentially disrupting power generation or reconfiguring \ninverter settings."}, {"lang": "es", "value": "El tr\u00e1fico de comandos MOD3 entre la aplicaci\u00f3n de monitorizaci\u00f3n y el inversor se transmite en texto plano, sin cifrado ni ofuscaci\u00f3n. Esta vulnerabilidad podr\u00eda permitir que un atacante con acceso a una red local intercepte, manipule, reproduzca o falsifique datos cr\u00edticos, como operaciones de lectura/escritura de voltaje, corriente y configuraci\u00f3n de potencia, estado operativo, alarmas, telemetr\u00eda, reinicio del sistema o comandos de control del inversor, lo que podr\u00eda interrumpir la generaci\u00f3n de energ\u00eda o reconfigurar los ajustes del inversor."}], "lastModified": "2025-09-08T17:15:34.037", "sourceIdentifier": "ics-cert@hq.dhs.gov"}